Evolutionary Kernel Fuzzing Black Hat USA 2017 Richard Johnson
|
|
- Wendy Daniel
- 6 years ago
- Views:
Transcription
1 Evolutionary Kernel Fuzzing Black Hat USA 2017 Richard Johnson
2 Evolutionary Kernel Fuzzing Richard Johnson Black Hat USA 2017
3 whoami Richard Johnson Research Cisco Talos Vulndev Third party vulnerability research Microsoft Apple Oracle Adobe Google IBM, HP, Intel Security tool development Fuzzers, Crash Triage Mitigation development Special Contributor Andrea Allievi, Microsoft
4 Introduction High performance tracing and fuzzing since High Performance Fuzzing Input selection Engine design AFL-DYNINST Windows fork() 2015 Go Speed Tracer Guided Fuzzing Binary translation Hardware tracing
5 Introduction High performance tracing and fuzzing since Harnessing Intel Processor Trace for Vulnerability Discovery Intel Processor Trace internals Usermode fuzzing with Intel Processor Trace Persistent mode fuzzing native Windows binaries In June 2016 we opensourced Windows driver for Intel Processor Trace
6 Introduction Today we will bring this knowledge to the context of fuzzing the Windows kernel See for previous slides and talk videos
7 Introduction Agenda Evolutionary Fuzzing Kernel Code Coverage Linux Kernel Fuzzing Windows Kernel Fuzzing Goals Understand the benefits of guided fuzzing Understand coverage collection techniques for kernels Identify critical Windows Kernel attack surface Learn how to apply state of the art fuzzing to kernels
8 Introduction Kernels are a critical attack surface Modern mitigations utilize isolation and sandboxing Weaponized exploits include kernel attacks Pwn2own Leaked government warez Kernel vulndev is still in its infancy Room for improvment on fuzzing tech
9 Introduction Application Sandboxing IE sandbox IE Protected Mode Chrome sandbox Adobe Reader sandbox etc Windows Isolation / Sandboxing Driver Signature Verification Patchguard / Kernel Patch Protection AppContainers ProcessMitigationPolicy etc
10 Introduction Prior Windows Kernel vulndev by the following people Ilja van Sprundel Mateusz Jurczyk Jesse Hertz Tim Newsham Nils Georgi Geshev James Loureio Peter Hlavaty Daniel King Marco Grassi Nikita Tarakanov
11 Evolutionary Fuzzing
12 Evolutionary Fuzzing History 2006: Sidewinder Sparks & Cunningham 2007: Evolutionary Fuzzing System Jared Demott 2007: Bunny the Fuzzer Michal Zalewski 2013: American Fuzzy Lop Michal Zalewski 2014: Nightmare/BCCF Joxean Koret 2015: Honggfuzz Robert Swiecki 2015: covfuzz Atte Kettunen 2016 : Choronzon Zisis Sialveras / Nikos Naziridis
13 Evolutionary Fuzzing Incrementally better mutational dumb fuzzing Trace while fuzzing and provide feedback signal Evolutionary algorithms Assess fitness of current input Manage a pool of possible inputs
14 Evolutionary Fuzzing Required Fast tracing engine Block granularity code coverage Fast logging Memory resident coverage map **Not a list of every basic block Fast evolutionary algorithm Minimum of global population map Maximum pool diversity
15 Desired Portable Easy to use Helper tools Grammar detection Evolutionary Fuzzing
16 Evolutionary Fuzzing AFL delivers the most complete package Lets review!
17 Amercian Fuzzy Lop Michal Zalewski 2013 Delivered the first performant opensource evolutionary fuzzer Features Variety of traditional mutation strategies Block coverage via compile time instrumentation Simplified approach to genetic algorithm Edge transitions are encoded as tuple and tracked in a bloom filter Includes coverage and frequency Uses portable* Posix API for shared memory, process creation
18 Amercian Fuzzy Lop Contributions Tracks edge transitions Not just block entry Global coverage map Generation tracking Fork server Reduce target initialization Persistent fuzzing Builds corpus of unique inputs reusable in other workflows
19 Trace Logging Each block gets a unique ID Amercian Fuzzy Lop Traversed edges are indexed into a byte map (bloom filter) Create a hash from the src and dst block IDs Increment map for each time an edge is traversed Each trace is easily comparable to the entire session history
20 Okay, so lets take a fuzzer that targets userland programs with source code and make it work for closed source Windows kernel targets! But first how about Windows binaries
21 WinAFL Ivan Fratric First performant windows evolutionary fuzzer Features Its American Fuzzy Lop! For Windows! Windows API port for memory and process creation DynamoRIO based code coverage Filter based on module Block and Edge tracing modes Persistent execution mode
22 WinAFL-IntelPT Richard Johnson First hardware assisted guided fuzzer for Windows First public guided fuzzer for Windows kernel Features Intel Processor Trace based coverage engine Online disassembly engine to decode Intel PT trace Filter based on module Edge tracing mode Persistent execution mode Kernel tracing mode
23 Kernel Code Coverage
24 Kernel Code Coverage Kernel code coverage can be elusive to obtain Opensource code can be instrumented by compilers Binary code must use runtime instrumentation, static rewriting, or hardware engines
25 Kernel Code Coverage Existing tools and approaches Source GCC gcc --coverage AFL adds hooks into the.s intermediate files Clang clang -fprofile-instr-generate -fcoverage-mapping afl-clang-fast uses a compiler pass
26 Kernel Code Coverage Existing tools and approaches Binary QEMU Hook Tiny Code Generator (TCG) translates IR to native ISA BOCHS Seems to work for j00ru syzygy Statically rewrite PE32 binaries with AFL Requires symbols Requires additional dev to make WinAFL kernel aware
27 Kernel Code Coverage Intel / AMD CPUs Branch Trace Store Per-kernel-thread hardware trace Use in combination with Last Branch Record to get edge transition Supported passthrough by some hypervisors
28 Kernel Code Coverage Intel / AMD CPUs Branch Trace Store New opensource software recently released for Windows BTS
29 Kernel Code Coverage Intel CPUs Intel Processor Trace Introduced in Broadwell / Skylake
30 Kernel Code Coverage Intel CPUs Intel Processor Trace Performance Low over-head (15% CPU perf hit for recording) Logs directly to physical memory Bypass TLB and eliminating cache pollution Minimal log format One bit per conditional branch Only indirect branches log dest address Additional overhead to decode trace, requires disassembly See Harnessing Intel Processor Trace for Vuln Discovery for deep dive
31 Kernel Code Coverage Intel CPUs Intel Processor Trace Sparse binary packet format Complex format - decode with Intel s opensource libipt library!
32 Kernel Code Coverage We have contributed two opensource projects to harness Intel Processor Trace! Get the code! WindowsPtDriver Implements Intel Processor Trace support for Windows PtCov Intel Processor Trace Library Userland API for interacting with the kernel mode driver Easily turn any existing file fuzzer into coverage driven fuzzer
33 Kernel Code Coverage PtCov Intel Processor Trace Library typedef struct _PtCovConfig { int cpu_number; DWORD trace_buffer_size; DWORD trace_mode; char *trace_modules[4]; // trace up to four module names char **cov_map; // optional user supplied buffer for afl coverage map int cov_map_size; char *ptdump_path; // optional path for saving intel ptdump file to disk } PtCovConfig; PTSTATUS ptcov_init(); PTSTATUS ptcov_init_trace(ptcovconfig *ptcov_config, PtCovCtx *ptcov_ctx);
34 Kernel Code Coverage PtCov Intel Processor Trace Library PTSTATUS ptcov_set_cpu_number(ptcovctx ptcov_ctx, int cpu_number); PTSTATUS ptcov_set_cpu_affinity(ptcovctx ptcov_ctx, KAFFINITY cpu_affinity); PTSTATUS ptcov_set_process_handle(ptcovctx ptcov_ctx, HANDLE process_handle); PTSTATUS ptcov_get_process_handle(ptcovctx ptcov_ctx, HANDLE *process_handle); PTSTATUS ptcov_get_free_processor(ptcovctx ptcov_ctx, int *processor_number); PTSTATUS ptcov_add_target_module(ptcovctx ptcov_ctx, char *module_name); PTSTATUS ptcov_add_target_driver(ptcovctx ptcov_ctx, char *driver_name); PTSTATUS ptcov_trace_process(ptcovctx ptcov_ctx, HANDLE process_handle); PTSTATUS ptcov_trace_driver(ptcovctx ptcov_ctx);
35 Kernel Code Coverage PtCov Intel Processor Trace Library PTSTATUS ptcov_start_trace(ptcovctx ptcov_ctx); PTSTATUS ptcov_pause_trace(ptcovctx ptcov_ctx); PTSTATUS ptcov_resume_trace(ptcovctx ptcov_ctx); PTSTATUS ptcov_clear_trace(ptcovctx ptcov_ctx); PTSTATUS ptcov_end_trace(ptcovctx ptcov_ctx); PTSTATUS ptcov_get_afl_map(ptcovctx ptcov_ctx, char **map);
36 Kernel Code Coverage Other methods Single step / branch step (BTF) Int 0x1 enabled on each instruction to singlestep DbgCtrl MSR flag to interrupt only on branch PMU Sampling Can be forced to interrupt on each branch Asynchronous but slow Works everywhere (including ARM) Dynamic binary translation Attempts with PIN for drivers, not public
37 Demo Windows Kernel Code Coverage
38 Linux Kernel Fuzzing
39 Linux Kernel Fuzzing Trinity Built into the Linux kernel tree Type aware via templates Not coverage driven #include "sanitise.h" struct syscallentry syscall_shmat = {.name = "shmat",.num_args = 3,.arg1name = "shmid",.arg2name = "shmaddr",.arg2type = ARG_ADDRESS,.arg3name = "shmflg", }; Jones has considered feedback-guided fuzzing for Trinity in the past, but found the coverage tools that were available at the time to be too slow.
40 Linux Kernel Fuzzing Syzkaller Coverage driven system call fuzzing Uses built in GCC port of ASAN coverage gcc -fsanitize-coverage=trace-pc Exposes coverage via /sys/kernel/debug/kcov Template driven for system call fuzzing Relies heavily on KASAN to catch bugs write(fd fd, buf buffer[in], count len[buf]) pwrite64(fd fd, buf buffer[in], count len[buf], pos fileoff) writev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec]) pwritev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], off fileoff) lseek(fd fd, offset fileoff, whence flags[seek_whence])
41 Syzkaller Good support tooling WebUI for monitoring Good logging Repro minimizer Linux Kernel Fuzzing
42 Syzkaller Very effective, but.. Complicated to get setup properly Complex workflow Not easily retargetable Linux Kernel Fuzzing
43 Linux Kernel Fuzzing TriforceAFL 2016 Tim Newsham & Jesse Hertz (NCC Group) AFL compatible QEMU based coverage fuzzer Added fork server to QEMU post-boot Added a great serialization technique for APIs Allows to fuzz APIs via a file format
44 Linux Kernel Fuzzing TriforceAFL 2016 Tim Newsham & Jesse Hertz (NCC Group) Extends QEMU trace support in AFL to target kernel COW fork() of QEMU after boot for performance Extends native ISA with custom hypercalls (aflcall) startforkserver getwork startwork endwork
45 Linux Kernel Fuzzing TriforceAFL 2016 Tim Newsham & Jesse Hertz (NCC Group) Uses syscall templates / shapes Serializes system calls into files to fuzz with AFL Supports sequences of system calls Syscall shapes buffer, len, int fd, buffer fd, buffer, buffer, int fd, buffer, buffer, int, int fd, buffer, int etc Syscall types Int Buffer BufferLength FileContents FileName FileTableNumber
46 Demo TriforceAFL
47 Windows Kernel Fuzzing
48 Kernel Attack Surface Kernels attack surface includes any untrusted input Userland System calls, file parsers, software interrupts Devices Network, USB, Firewire, etc Two categories: structured input or APIs
49 Windows Kernel Attack Surface System Calls ntoskrnl.sys Windows system services ~465 system calls win32k.sys Kernel mode Graphics Display Interface support ~1216 system calls
50 Windows Kernel Attack Surface win32k.sys File Parsers Fonts TTF, OTF, FON Images BMP, JPEG, CUR, ANI, ICO Metafiles EMF, WMF
51 Windows Kernel Attack Surface Other attack surface Graphics drivers Audio drivers Network drivers Print drivers See other publications for deeper dives into attack surface
52 Windows Kernel Fuzzing Legacy ioctlfuzzer Dimitry Oleksander (cr4sh) Misc Syscall fuzzers Misc file format fuzzers Techniques Random syscall arguments or ioctl input Hooking and interception (ioctlfuzzer) Dumb or structured file fuzzing
53 Windows Kernel Fuzzing KernelFuzzer 2016 James Loureiro and Georgi Geshev Windows system API fuzzer Techniques Type aware API fuzzing Manual definition of generators per-type Pre-generated HANDLE tables Outputs C code for each testcase to repro after crash
54 Windows Kernel Fuzzing KernelFuzzer 2016 James Loureiro and Georgi Geshev Windows system API fuzzer Observations Type aware API fuzzing is effective Manual definition of generators is tedious Can benefit from TriforceAfl style API sequence generation
55 Windows Kernel Fuzzing GOOD NEWS! API fuzzing has a type-aware strategy and tools BAD NEWS! IOCTLs and Graphics drivers are opaque blobs Sounds like we need for evolutionary fuzzing!
56 Windows Graphics Driver Fuzzing
57 Windows Graphics Driver Fuzzing Windows Graphics Hierarchy Gdi32.dll -> Dxgkrnl.sys -> HW driver Interesting Direct3D functions D3DKMTEscape D3DKMTRender D3DKMTCreateAllocation D3DKMTCreateContext etc
58 Windows Graphics Driver Fuzzing D3DKMTEscape NTSTATUS D3DKMTEscape( _In_ const D3DKMT_ESCAPE *pdata ); Entry point for internal graphics functionality Each driver implements a proprietary format for *pdata A few header fields and command data This is a perfect target for evolutionary file format style fuzzing
59 Windows Graphics Driver Fuzzing D3DKMTEscape NTSTATUS D3DKMTEscape( _In_ const D3DKMT_ESCAPE *pdata ); Entry point for internal graphics functionality Each driver implements a proprietary format for *pdata A few header fields and command data This is a perfect target for evolutionary file format style fuzzing
60 Windows Graphics Driver Fuzzing Search for usage of D3DKMTEscape: "C:\Program Files\Git\bin\bash.exe" export output="/tmp/dumpbin.txt" rm $output for i in `find. -type d` ; \ do echo $i ; dumpbin -imports "$i/*.exe" ; dumpbin "$i/*.dll" ; \ done tee $output export srch="dump D3DKMT" egrep $srch $output grep -B2 D3D Dump of file./displayswitch.exe B1 D3DKMTNetDispStopMiracastDisplayDevice AD D3DKMTNetDispQueryMiracastDisplayDeviceSupport Dump of file./igfxcuiservice.exe 65 D3DKMTCloseAdapter A7 D3DKMTOpenAdapterFromDeviceName 81 D3DKMTEscape Dump of file./proximityuxhost.exe AD D3DKMTNetDispQueryMiracastDisplayDeviceSupport
61 Windows Graphics Driver Fuzzing Search for usage of D3DKMTEscape: windbg> bp dxgkrnl!dxgkescape ".echo DxgkEscape; kb 50; g;" 3: kd> kb 30 # RetAddr : Call Site 00 fffff803`7800c413 : win32kbase!ntgdiddddiescape ffe`fc4644e4 : nt!kisystemservicecopyend+0x ffe`f8b69e68 : win32u!ntgdiddddiescape+0x ffe`ebb595f7 : d3d11!ndxgi::cdevice::escapecb+0x ` : igd10iumd64!openadapter10_2+0x64a7b7
62 Windows Graphics Driver Fuzzing Search for usage of D3DKMTEscape: windbg> bp dxgkrnl!dxgkescape "kb 50; g;" 00 fffff013`640870b9 : dxgkrnl!dxgkescape 01 fffff803`7800c413 : win32kbase!ntgdiddddiescape+0x ffe`fc4644e4 : nt!kisystemservicecopyend+0x ffe`f8b69e68 : win32u!ntgdiddddiescape+0x ffe`eb8cbc0a : d3d11!ndxgi::cdevice::escapecb+0x a0`7218e808 : 0x00007ffe`eb8cbc0a `3d9a5108 : 0x000000a0`7218e a0`7218e8a8 : 0x `3d9a ffe`f8b13c2c : 0x000000a0`7218e8a ffe`f8be28eb : d3d11!ndxgi::cdevice::driversupportsoverlays+0x9c 0a 00007ffe`f8bad13e : d3d11!ndxgi::cdevice::getinternalmultiplaneoverlaycaps+0xff 0b 00007ffe`fa232c2f : d3d11!dxrt11::direct3ddevice::release+0xcb8e 0c 00007ffe`fa2152ef : dxgi!atl::ccomobject<cdxgilightweightdevice>::release+0x135ef 0d 00007ffe`fa : dxgi!cdxgioutput::getmultiplaneoverlaycaps+0x9f 0e 00007ffe`f96214a3 : dxgi!cdxgiswapchain::getmultiplaneoverlaycaps+0x54 0f `41c71070 : 0x00007ffe`f96214a3
63 Windows Graphics Driver Fuzzing Intel HD Graphics Driver igdkmd64.sys 7.5 MB graphics driver This won t end well
64 Windows Graphics Driver Fuzzing TALOS (Piotr Bania) Intel HD Graphics Windows Kernel Driver (igdkmd64) RCE Vulnerability igdkmd64!hybdriverentry+1485b0 fffff801`61fd0920 ff call qword ptr [rax+250h] fffff801`61fb33b1 : igdkmd64!hybdriverentry+0x1485b0 fffff801`61ee4166 : igdkmd64!hybdriverentry+0x12b041 fffff801`61edfa4a : igdkmd64!hybdriverentry+0x5bdf6 fffff801`61ed5b1f : igdkmd64!hybdriverentry+0x576da fffff801`61edc798 : igdkmd64!hybdriverentry+0x4d7af fffff801`61ed51b5 : igdkmd64!hybdriverentry+0x54428 fffff801`61e48613 : igdkmd64!hybdriverentry+0x4ce45 fffff801`61e48507 : igdkmd64+0x26613 fffff801`60d1ea34 : igdkmd64+0x26507 fffff801`60ceffef : dxgkrnl!dxgadapter::ddiescape+0x48 fffff960`002c563b : dxgkrnl!dxgkescape+0x54f fffff800`ac5d41b3 : win32k!ntgdiddddiescape+0x `770574aa : nt!kisystemservicecopyend+0x ` : 0x770574aa
65 Windows Graphics Driver Fuzzing NVIDIA Graphics Driver nvlddmkm.sys ~800 graphics handling functions This also won t end well
66 Windows Graphics Driver Fuzzing TALOS (Piotr Bania) Nvidia Windows Kernel Mode Driver ZwSetValueKey Denial Of Service nt!memcpy+0xa0: fffff801`b0bcfc20 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] ds:ffffd000`26a45ff8=?? ffffd000`26a44408 fffff801`b0bde42c : nt!kebugcheckex ffffd000`26a44808 fffff801`b0f26473 : nt!memcpy+0xa0 ffffd000`26a44810 fffff801`b0fbcd18 : nt!cmpsetvaluedatanew+0x157 ffffd000`26a44860 fffff801`b0f0f588 : nt!?? ::NNGAKEGL::`string'+0x27928 ffffd000`26a448d0 fffff801`b0e3a977 : nt!cmsetvaluekey+0x784 ffffd000`26a449e0 fffff801`b0bcebb3 : nt!ntsetvaluekey+0x55f ffffd000`26a44bb0 fffff801`b0bc7020 : nt!kisystemservicecopyend+0x13 ffffd000`26a44db8 fffff801`4175a51a : nt!kiservicelinkage ffffd000`26a44dc0 fffff801`4175a051 : nvlddmkm+0xb751a ffffd000`26a44f70 fffff801`41f44769 : nvlddmkm+0xc0faf ffffd000`26a44fb0 fffff801`41f39e24 : nvlddmkm!nvdumpconfig+0x1253a1 ffffd000`26a45580 fffff801`413604f8 : nvlddmkm!nvdumpconfig+0xdc075 ffffd000`26a45650 fffff801`413c5b4e : dxgkrnl!dxgadapter::ddiescape+0x48 ffffd000`26a45680 fffff960`002d41d3 : dxgkrnl!dxgkescape+0x802 ffffd000`26a45ab0 fffff801`b0bcebb3 : win32k!ntgdiddddiescape+0x53
67 Demo winafl-intelpt vs idgkmd64.sys
68
69
70
71
72 Conclusions Kernels expose a massive amount of attack surface Hardware tracing enables code coverage for tricky targets Coverage guided kernel fuzzing is new and promising Get the code! - Windows PT Driver available since Jan 2017 WinAFL-IntelPT available today PtCov library available next week
73
Building Advanced Coverage-guided Fuzzer for Program Binaries
Building Advanced Coverage-guided Fuzzer for Program Binaries NGUYEN Anh Quynh WEI Lei 17/11/2017 Zero Nights, Moscow 2017 Self-introduction NGUYEN Anh Quynh, PhD
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationWriting a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs
Writing a fuzzer for any language with american fuzzy lop Ariel Zelivansky @ Twistlock Labs What is fuzzing? Technique for testing software by providing it with random, unexpected or invalid input Dumb
More informationMoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University
MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation Shankara Pailoor, Andrew Aday, Suman Jana Columbia University 1 OS Fuzzing Popular technique to find OS vulnerabilities Primarily
More informationDarek Mihocka, Emulators.com Stanislav Shwartsman, Intel Corp. June
Darek Mihocka, Emulators.com Stanislav Shwartsman, Intel Corp. June 21 2008 Agenda Introduction Gemulator Bochs Proposed ISA Extensions Conclusions and Future Work Q & A Jun-21-2008 AMAS-BT 2008 2 Introduction
More informationFuzzing. compass-security.com 1
Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationPROTECTING YOUR NETWORK. Richard Johnson RECON 2016
PROTECTING YOUR NETWORK Richard Johnson RECON 2016 Go Speed Tracer Introduction Richard Johnson Research Manager Cisco Talos Team Aleksandar Nikolich Ali Rizvi-Santiago Marcin Noga Piotr Bania Tyler Bohan
More informationImproving Linux development with better tools
Improving Linux development with better tools Andi Kleen Oct 2013 Intel Corporation ak@linux.intel.com Linux complexity growing Source lines in Linux kernel All source code 16.5 16 15.5 M-LOC 15 14.5 14
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationImproving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation
Improving Linux Development with better tools Andi Kleen Oct 2013 Intel Corporation ak@linux.intel.com Linux complexity growing Source lines in Linux kernel All source code 16.5 16 15.5 M-LOC 15 14.5 14
More informationKLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND
Feeding the Fuzzers with KLEE Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND This presentation was created with help and commitment of the Samsung R&D Poland Mobile Security team. KLEE and
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationRabbit in the Loop. A primer on feedback directed fuzzing using American Fuzzy Lop. by Kevin Läufer
Rabbit in the Loop A primer on feedback directed fuzzing using American Fuzzy Lop Abstract by Kevin Läufer This guide aims to provide the reader with a good intuition about the
More informationMeltdown and Spectre - understanding and mitigating the threats
Meltdown and Spectre - understanding and mitigating the threats Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @RenditionSec The sky isn t falling!
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationCOMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy
COMPUTER ARCHITECTURE Virtualization and Memory Hierarchy 2 Contents Virtual memory. Policies and strategies. Page tables. Virtual machines. Requirements of virtual machines and ISA support. Virtual machines:
More informationStructure-aware fuzzing
Structure-aware fuzzing for real-world projects Réka Kovács Eötvös Loránd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -> growing
More informationHypervisor security. Evgeny Yakovlev, DEFCON NN, 2017
Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017 whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2 Agenda Why hypervisor
More informationThe Fuzzing Project https://fuzzing-project.org/
The Fuzzing Project https://fuzzing-project.org/ Hanno Böck 1 / 18 Motivation Motivation Fuzzing C Memory Bugs Invalid memory access example Do you use tools like strings, less, file, convert, ldd, unzip,...?
More informationsecubt Hacking the Hackers with User Space Virtualization
secubt Hacking the Hackers with User Space Virtualization Mathias Payer Mathias Payer: secubt User Space Virtualization 1 Motivation Virtualizing and encapsulating running programs
More informationSoftware Security IV: Fuzzing
1 Software Security IV: Fuzzing Chengyu Song Slides modified from Dawn Song 2 Administrivia Homework1 Due: Friday Oct 27 11:59pm Questions regarding reading materials Talk Security R&D in a Security Company:
More informationSmarter fuzzing using sound and precise static analyzers
Smarter fuzzing using sound and precise static analyzers Pascal Cuoq, Chief Scientist, TrustInSoft January 31, 2017 Pascal Cuoq, Chief Scientist, TrustInSoft smarter fuzzing January 31, 2017 1 / 8 Introduction
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationAutomatizing vulnerability research
Innova&on & Research Symposium Cisco and Ecole Polytechnique 8-9 April 2018 CEDRIC TESSIER INSTRUMENTATION TEAM LEADER / ctessier@quarkslab.com Automatizing vulnerability research to better face new software
More informationFault Injection in System Calls
Fault Injection in System Calls Angelo Haller 2015-05-28 Fault Injection in System Calls 1 Angelo Haller 1 Why System Calls? 2 Trinity Bugs Found Inner Workings Fuzzing Process 3 Demo Annotated System
More informationHaving fun with apple s IOKit. Ilja van sprundel
Having fun with apple s IOKit Ilja van sprundel who am I Ilja van sprundel IOActive netric blogs.23.nu/ilja Introduction what is the IOKit why UserClients entry points marshaling
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationOperating systems. Lecture 7
Operating systems. Lecture 7 Michał Goliński 2018-11-13 Introduction Recall Plan for today History of C/C++ Compiler on the command line Automating builds with make CPU protection rings system calls pointers
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationFuzzing For Worms 16/06/2018. Fuzzing For Worms. AFL for Linux Network Servers
1 AFL for Linux Network Servers 16/6/218 Fuzzing For Worms. About Me 2 1 16/6/218 SSL/TLS Recommendations // OWASP Switzerland 213 Dobin Rutishauser 2 BurpSentinel - Semi Automated Web Scanner // BSides
More informationTHE GREAT ESCAPES OF VMWARE: A RETROSPECTIVE CASE STUDY OF VMWARE GUEST-TO-HOST ESCAPE VULNERABILITIES
THE GREAT ESCAPES OF VMWARE: A RETROSPECTIVE CASE STUDY OF VMWARE GUEST-TO-HOST ESCAPE VULNERABILITIES Presented By : Debasish Mandal & Yakun Zhang About Us: Debasish Mandal Security researcher on McAfee
More informationMaking Dynamic Instrumentation Great Again
Making Dynamic Instrumentation Great Again Malware Research Team @ @xabiugarte [advertising space ] Deep Packer Inspector https://packerinspector.github.io https://packerinspector.com Many instrumentation
More informationHigh Performance Fuzzing
High Performance Fuzzing Richard Johnson Hushcon 2015 Introduction Whoami Richard Johnson / @richinseattle Research Manager, Vulnerability Development Cisco, Talos Security Intelligence and Research Group
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationSoftware Vulnerability
Software Vulnerability Refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the
More informationXen and the Art of Virtualization
Xen and the Art of Virtualization Paul Barham,, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer,, Ian Pratt, Andrew Warfield University of Cambridge Computer Laboratory Presented
More informationCS 155: Real-World Security
CS 155: Real-World Security April 14, 2016 Alex Stamos CSO, Facebook Why are you here? Agenda We are going to discuss: How bugs are found How defense works in the real world We will walk through some:
More informationSandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018
Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
More informationEfficient Software Based Fault Isolation. Software Extensibility
Efficient Software Based Fault Isolation Robert Wahbe, Steven Lucco Thomas E. Anderson, Susan L. Graham Software Extensibility Operating Systems Kernel modules Device drivers Unix vnodes Application Software
More informationHSA Foundation! Advanced Topics on Heterogeneous System Architectures. Politecnico di Milano! Seminar Room (Bld 20)! 15 December, 2017!
Advanced Topics on Heterogeneous System Architectures HSA Foundation! Politecnico di Milano! Seminar Room (Bld 20)! 15 December, 2017! Antonio R. Miele! Marco D. Santambrogio! Politecnico di Milano! 2
More informationEfficient and Large Scale Program Flow Tracing in Linux. Alexander Shishkin, Intel
Efficient and Large Scale Program Flow Tracing in Linux Alexander Shishkin, Intel 16.09.2013 Overview Program flow tracing - What is it? - What is it good for? Intel Processor Trace - Features / capabilities
More informationNew features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany
New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope
More informationVirtualization and memory hierarchy
Virtualization and memory hierarchy Computer Architecture J. Daniel García Sánchez (coordinator) David Expósito Singh Francisco Javier García Blas ARCOS Group Computer Science and Engineering Department
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationMaking things work as expected
Making things work as expected System Programming Lab Maksym Planeta Björn Döbel 20.09.2018 Table of Contents Introduction Hands-on Tracing made easy Dynamic intervention Compiler-based helpers The GNU
More informationVirtualizing IoT with Code Coverage Guided Fuzzing
Virtualizing IoT with Code Coverage Guided Fuzzing HITB2018DXB, November 2018 NGUYEN Anh Quynh, aquynh -at- gmail.com KaiJern LAU, kj -at- theshepherd.io About NGUYEN Anh Quynh > Nanyang Technological
More informationMonitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015
Monitoring Hypervisor Integrity at Runtime Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015 Motivation - Server Virtualization Trend x86 servers were virtualized
More informationCoverage-guided Fuzzing of Individual Functions Without Source Code
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results
More informationComprehensive Kernel Instrumentation via Dynamic Binary Translation
Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner Angela Demke Brown Ashvin Goel University of Toronto 011 Complexity of Operating Systems 012 Complexity of Operating Systems
More informationTest Automation. 20 December 2017
Test Automation 20 December 2017 The problem of test automation Testing has repetitive components, so automation is justified The problem is cost-benefit evaluation of automation [Kaner] Time for: test
More informationCS 471 Operating Systems. Yue Cheng. George Mason University Fall 2017
CS 471 Operating Systems Yue Cheng George Mason University Fall 2017 Introduction o Instructor of Section 002 Dr. Yue Cheng (web: cs.gmu.edu/~yuecheng) Email: yuecheng@gmu.edu Office: 5324 Engineering
More informationHexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer
HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer Motivation C++ is a popular programming language Google Chrome, Firefox,
More informationQEMU: Architecture and Internals Lecture for the Embedded Systems Course CSD, University of Crete (April 18, 2016)
QEMU: Architecture and Internals Lecture for the Embedded Systems Course CSD, University of Crete (April 18, 2016) ManolisMarazakis (maraz@ics.forth.gr) Institute of Computer Science (ICS) Foundation for
More informationCopyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis
Finding security vulnerabilities by fuzzing and dynamic code analysis Security Vulnerabilities Top code security vulnerabilities don t change much: Security Vulnerabilities Top code security vulnerabilities
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationJOE ROZNER RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION
JOE ROZNER / @JROZNER RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT HERE Mostly black box (ish) implementation of complex languages (context-free-ish) ~35k lines
More informationForeword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1
Brief Contents Foreword by Katie Moussouris.... xv Acknowledgments... xvii Introduction...xix Chapter 1: The Basics of Networking... 1 Chapter 2: Capturing Application Traffic... 11 Chapter 3: Network
More informationMisc. Third Generation Batch Multiprogramming. Fourth Generation Time Sharing. Last Time Evolution of OSs
Third Generation Batch Multiprogramming Misc. Problem: but I/O still expensive; can happen in middle of job Idea: have a pool of ready jobs in memory, switch to one when another needs I/O When one job
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationCharm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems
Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, Ardalan Amiri Sani, Zhiyun Qian UC Irvine UC Riverside
More informationCprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University
Virtualization Dr. Yong Guan Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University Outline for Today s Talk Introduction Virtualization Technology Applications
More informationDigging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing
Digging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing NGUYEN Anh Quynh Kai Jern LAU HackInTheBox - Beijing, November 2nd, 2018
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationCSE 451: Operating Systems Winter Page Table Management, TLBs and Other Pragmatics. Gary Kimura
CSE 451: Operating Systems Winter 2013 Page Table Management, TLBs and Other Pragmatics Gary Kimura Moving now from Hardware to how the OS manages memory Two main areas to discuss Page table management,
More informationJailbreaking. Apple Watch. Max Bazaliy. December 4-7, 2017
1 2 Jailbreaking 3 4 5 Apple Watch 6 7 8 9 Max Bazaliy 10 11 12 whoami 1 2 3 o Security researcher at Lookout o ios/tvos/watchos jailbreak author o Lead researcher on Pegasus exploit chain o Focused on
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationEnhancing Memory Error Detection for Large-Scale Applications and Fuzz testing
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationOS Structure. Kevin Webb Swarthmore College January 25, Relevant xkcd:
OS Structure Kevin Webb Swarthmore College January 25, 2018 Relevant xkcd: One of the survivors, poking around in the ruins with the point of a spear, uncovers a singed photo of Richard Stallman. They
More informationPROCESS VIRTUAL MEMORY. CS124 Operating Systems Winter , Lecture 18
PROCESS VIRTUAL MEMORY CS124 Operating Systems Winter 2015-2016, Lecture 18 2 Programs and Memory Programs perform many interactions with memory Accessing variables stored at specific memory locations
More informationBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep Dive Jakub Kicinski 2018 NETRONOME SYSTEMS, INC. BPF Sandbox As a goal of BPF IR JITing of BPF IR to most RISC cores should be very easy BPF VM provides a simple and well understood
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationXen and the Art of Virtualization. Nikola Gvozdiev Georgian Mihaila
Xen and the Art of Virtualization Nikola Gvozdiev Georgian Mihaila Outline Xen and the Art of Virtualization Ian Pratt et al. I. The Art of Virtualization II. Xen, goals and design III. Xen evaluation
More informationOperating Systems. Operating System Structure. Lecture 2 Michael O Boyle
Operating Systems Operating System Structure Lecture 2 Michael O Boyle 1 Overview Architecture impact User operating interaction User vs kernel Syscall Operating System structure Layers Examples 2 Lower-level
More informationFPGA Manager. State of the Union. Moritz Fischer, National Instruments
FPGA Manager State of the Union Moritz Fischer, National Instruments $whoami Embedded Software Engineer at National Instruments Other stuff I do: U-Boot, OE, Linux Kernel Co-Maintainer of FPGA Manager
More informationWhat is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks
LINUX-KVM The need for KVM x86 originally virtualization unfriendly No hardware provisions Instructions behave differently depending on privilege context(popf) Performance suffered on trap-and-emulate
More informationVirtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?
Virtual Machines To do q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm? *Partially based on notes from C. Waldspurger, VMware, 2010 and Arpaci-Dusseau s Three
More informationcuda-on-cl A compiler and runtime for running NVIDIA CUDA C++11 applications on OpenCL 1.2 devices Hugh Perkins (ASAPP)
cuda-on-cl A compiler and runtime for running NVIDIA CUDA C++11 applications on OpenCL 1.2 devices Hugh Perkins (ASAPP) Demo: CUDA on Intel HD5500 global void setvalue(float *data, int idx, float value)
More informationDynamic Binary Instrumentation: Introduction to Pin
Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects
More informationNON SCHOLAE, SED VITAE
TDIU11 Operating systems Operating System Structures and Machines [SGG7/8] Chapter 2.7-2.8 [SGG9] Chapter 2.7, 1.11.6 Copyright Notice: The lecture notes are modifications of the slides accompanying the
More informationOverview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Overview of System Virtualization: The most powerful platform for program analysis and system security Zhiqiang Lin Department of Computer Science
More informationThe Challenges of XDP Hardware Offload
FOSDEM 18 Brussels, 2018-02-03 The Challenges of XDP Hardware Offload Quentin Monnet @qeole ebpf and XDP Q. Monnet XDP Hardware Offload 2/29 ebpf, extended Berkeley Packet
More informationInput / Output. Kevin Webb Swarthmore College April 12, 2018
Input / Output Kevin Webb Swarthmore College April 12, 2018 xkcd #927 Fortunately, the charging one has been solved now that we've all standardized on mini-usb. Or is it micro-usb? Today s Goals Characterize
More informationSupport for Smart NICs. Ian Pratt
Support for Smart NICs Ian Pratt Outline Xen I/O Overview Why network I/O is harder than block Smart NIC taxonomy How Xen can exploit them Enhancing Network device channel NetChannel2 proposal I/O Architecture
More informationTolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,...
More informationM 3 Microkernel-based System for Heterogeneous Manycores
M 3 Microkernel-based System for Heterogeneous Manycores Nils Asmussen MKC, 06/29/2017 1 / 35 Outline 1 Introduction 2 Data Transfer Unit 3 Prototype Platforms 4 M 3 5 Summary 2 / 35 Outline 1 Introduction
More informationSoftware Routers: NetMap
Software Routers: NetMap Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking October 8, 2014 Slides from the NetMap: A Novel Framework for
More informationVirtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels
Virtualization Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels 1 What is virtualization? Creating a virtual version of something o Hardware, operating system, application, network, memory,
More informationMarek Szyprowski Samsung R&D Institute Poland
Marek Szyprowski m.szyprowski@samsung.com Samsung R&D Institute Poland Quick Introduction to Linux DRM A few words on atomic KMS API Exynos DRM IPP subsystem New API proposal Some code examples Summary
More informationHSA foundation! Advanced Topics on Heterogeneous System Architectures. Politecnico di Milano! Seminar Room A. Alario! 23 November, 2015!
Advanced Topics on Heterogeneous System Architectures HSA foundation! Politecnico di Milano! Seminar Room A. Alario! 23 November, 2015! Antonio R. Miele! Marco D. Santambrogio! Politecnico di Milano! 2
More informationWindows Persistent Memory Support
Windows Persistent Memory Support Neal Christiansen Microsoft Agenda Review: Existing Windows PM Support What s New New PM APIs Large & Huge Page Support Dax aware Write-ahead LOG Improved Driver Model
More informationHeapple Pie. The macos/ios default heap. Date 14/09/2018. At Sthack 2018 By Eloi Benoist-Vanderbeken
Heapple Pie The macos/ios default heap Date 14/09/2018 At Sthack 2018 By Eloi Benoist-Vanderbeken Whoami Eloi Benoist-Vanderbeken @elvanderb on twitter Working for Synacktiv: Offensive security company
More informationMemory management. Single process. Multiple processes. How to: All memory assigned to the process Addresses defined at compile time
Memory management Single process All memory assigned to the process Addresses defined at compile time Multiple processes. How to: assign memory manage addresses? manage relocation? manage program grow?
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationLinux Kernel Testing: Where Are We? Guenter Roeck, Google
Linux Kernel Testing: Where Are We? Guenter Roeck, Google linux@roeck-us.net Agenda Test Suites Testbeds Summary Next steps Test Suites Test Suites Linux Test Project (LTP) Module tests in tools/testing
More informationAdministrivia. Lab 1 due Friday 12pm. We give will give short extensions to groups that run into trouble. But us:
Administrivia Lab 1 due Friday 12pm. We give will give short extensions to groups that run into trouble. But email us: - How much is done & left? - How much longer do you need? Attend section Friday at
More information